The document discusses essential security considerations for cloud computing, emphasizing the importance of adapting to its elastic and automated nature rather than relying on traditional physical controls. It advocates for policy-based automation, integration with DevOps, and the use of host-based security solutions to manage diverse environments effectively. Additionally, it highlights security automation tools, like Halo, which allow policies to follow images across different deployments.

1. Presents
What Security Pros Need to
Know About Cloud
Rich Mogull
Securosis LLC
rmogull@securosis.com
http://securosis.com

2. The Disruption of the Cloud

3. Multitenancy Isn’t the Issue
AAAA BBBB CCCC
• We have always secured shared infrastructure.
• We have always trusted our data to others.
• Our existing processes and controls will still work.
• It is the abstraction and automation of cloud that
really impact security

4. Abstraction
Customer
Compute
Networks
Storage
• Visibility changes
• Can’t rely on boxes
and wires
• Can’t rely on
physical controls

5. Automation
VM VM
Hypervisor
VM VM
Hypervisor
VM VM
Hypervisor
VM VM
Hypervisor
Compute Pool
Management and Orchestration
Storage Pool
Management and Orchestration
Compute
Controller
Storage/Vo
lume
ControllerManagement Network
(Using APIs)
Outside
World
Cloud computing resources change in minutes and seconds.
Scans, static settings, and caches can’t keep up.

6. DevOps, SecOps, and
Cloud
• DevOps is an operational
framework.
• It is a natural outcome of cloud
computing, not some weird over-
hyped trend.
• Traditional silos condense, then
operate with higher agility (and,
ideally, resiliency).
• Security most resistant to change
(for good reasons). Security relies
on manual operational model.

7. SecOps in
Practice

1111
2222
3333
4444
Inject startup script
Pull secure credentials
Register with config
mgmt server
5555
Pull
configuration

8. Adapting Security for the
Cloud
• Don’t rely on boxes and wires.
• Be as elastic and agile as the cloud.
• Rely more on policy-based automation.
• Understand and adjust for cloud
characteristics (e.g. security groups vs.
firewalls).
• Integrate with DevOps.
http://the4faces.com/2011/09/29/stages-of-evolution/

9. Control the Management
Plane
HardenHarden
Web andWeb and
API ServersAPI Servers
HardenHarden
Web andWeb and
API ServersAPI Servers
LeverageLeverage
Cloud IAMCloud IAM
LeverageLeverage
Cloud IAMCloud IAM
CompartmentCompartment
with IAMwith IAM
CompartmentCompartment
with IAMwith IAM
Audit, Log,Audit, Log,
and Alertand Alert
Audit, Log,Audit, Log,
and Alertand Alert
Use a ManagenentUse a Managenent
Plane ProxyPlane Proxy
Use a ManagenentUse a Managenent
Plane ProxyPlane Proxy

10. Automate Host
Security
• Embed agents in images and at launch.
• Integrate with configuration
management.
• Dynamically configure agents.
• Prefer lightweight and agile agents.
• Host tools should support REST APIs

11. Intelligently
Encrypt
Key Mgmt
Server
StorageInstance
CryptoCrypto
ClientClient
HSM, SECaaS, VM, or Server
Public/Private Cloud (IaaS)

12. Federate Identity
Directory
Server
FederationFederation
ExtensionsExtensions
XSAML

13. Adapt Network Security
• Design a good security group baseline.
• Augment with host firewall that coordinates with
cloud.
• Push more security into the host.
• Prefer virtual network security appliances that
support cloud APIs.
• Take advantage of cloud APIs.
• Security policies must follow instances.

14. Leverage the Cloud
• Immutable servers
• Stateless security
• Security automation
• Software Defined
Security

15. This is Real Today

16. Embedding and Validating
Security Agents
Build InBuild InBuild InBuild In InjectInjectInjectInject Config PushConfig PushConfig PushConfig Push
Tie to RunningTie to Running
ServicesServices
Tie to RunningTie to Running
ServicesServices
Tie to Cloud PlatformTie to Cloud PlatformTie to Cloud PlatformTie to Cloud Platform

17. Compartmentalize with IAM
Sec Dev Region Prod Action Object

18. Hypersegregate with Security
Groups

19. Where to go From Here
?

20. What your CISO needs to know
Nicholai Piagentini
Sr. Solutions Architect

21. First an allegorical example
• Large enterprise, traditional physical
datacenter, traditional security.
• Growth by acquisitions introduces a widely
disparate set of new environments to secure.
• Most acquisitions are in the cloud already
and did not consider security as critical as
the parent company.
• Security had to find a solutions to fit all of it.

22. Key points for this example
• Cannot rely on boxes and wires
– Multiple clouds, multiple physical datacenters.
– Host based security the only option that scales
• Elastic and Agile Security
– New acquisitions on the horizon no real end in sight
– Baking security into the stack makes this easy
• Policy Based Automation
– Server Groups can link like servers across
deployments

23. How Halo helped
• Halo is a Security Automation Platform
• Halo agent is deployed onto the individual
virtual hosts
• Policy is defined on our cloud based
Security Analytics Engine
• Does not rely on and specific hypervisor
system
• Policy follows the image wherever it goes